The GitHub Actions job "License Binary Checker" on texera.git/release/v1.2 has failed. Run started by GitHub user xuang7 (triggered by xuang7).
Head commit for run: 24e5b70187d36b25bd04552e555cccaaf11d912e / Yicong Huang <[email protected]> fix(auth): require REGULAR/ADMIN role on LiteLLM proxy endpoints (#5421) ### What changes were proposed in this PR? `LiteLLMProxyResource` (`/chat/*`) and `LiteLLMModelsResource` (`/models`) in `access-control-service` were `@PermitAll` — they contain no auth check beyond a `guiWorkflowWorkspaceCopilotEnabled` feature flag, so any anonymous caller could spend the deployment's LiteLLM credits whenever Copilot was on. PR #5404 left the annotations in place to preserve pre-eager-filter behavior and deferred the hardening decision; this picks it back up. Both classes now use `@RolesAllowed(Array("REGULAR", "ADMIN"))`. The JwtAuthFilter from #5404 runs at `Priorities.AUTHENTICATION`, so missing tokens fall to a 401 from the filter and bad-role tokens fall through to a 403 from Jersey's role check. `access-control-service` was the one microservice that hadn't picked up `RolesAllowedDynamicFeature` when #5199 added it elsewhere, so this PR also registers the feature in `AccessControlService.scala` — otherwise the annotations would have been decorative. `AccessControlServiceRunSpec` is updated to pin the registration so a future refactor can't quietly drop it and send us back to anonymous-LLM-access. ### Any related issues, documentation, discussions? Closes #5420. Follow-up hardening for #5404. ### How was this PR tested? `sbt AccessControlService/test` (22 cases) and `sbt scalafmtCheckAll` clean. Manual verification against a running access-control-service: anonymous `curl http://localhost:8081/api/models` returns 401 with `WWW-Authenticate: Bearer realm="texera"` instead of the pre-PR 200; a REGULAR-role bearer token gets through to LiteLLM as expected. ### Was this PR authored or co-authored using generative AI tooling? (backported from commit afc5f98c8e512c1e90f8fee86dd0a596e58d08d9) Generated-by: Claude Code (Opus 4.7) Report URL: https://github.com/apache/texera/actions/runs/27225018240 With regards, GitHub Actions via GitBox
